Processing a dispersed storage network access request utilizing certificate chain validation information

US 9,686,268 B2
Filed: 01/06/2014
Issued: 06/20/2017
Est. Priority Date: 11/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for execution in a dispersed storage network (DSN), the method comprises:

for a realm of a plurality of realms of the DSN, wherein the realm has a group of DSN devices affiliated therewith, has a set of certificate authorities affiliated therewith, and has a unique realm identifier and wherein at least one certificate authority of the set of certificate authorities is a root certificate authority for the realm;

sending, by a dispersed storage managing unit certificate authority of the DSN, registry information to a storage unit of the DSN, wherein the registry information includes at least one of a network certificate and vault information;

sending, by the dispersed storage managing unit certificate authority, a certificate signing request of the storage unit to a certificate authority of the set of certificate authorities;

when the certificate authority is the root certificate authority, generating, by the root certificate authority, a root certificate in response to the certificate signing request, wherein the root certificate includes a signature of the root certificate authority;

when the certificate authority is an intermediate certificate authority for the realm, generating, by the intermediate certificate authority, an intermediate certificate in response to the certificate signing request, wherein the intermediate certificate includes the root certificate and a signature based on the signature of the root certificate authority or signature of another certificate authority of the set of certificate authorities;

generating, by the dispersed storage managing unit certificate authority, a certificate chain from the root certificate or the intermediate certificate; and

sending, by the dispersed storage managing unit certificate authority, the certificate chain to the storage unit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method begins by a processing module receiving a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain. When the certificate chain is valid, the method continues with the processing module accessing registry information for the DSN. The method continues with the processing module identifying one of a plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain, identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries, and generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries.

Citations

14 Claims

1. A method for execution in a dispersed storage network (DSN), the method comprises:
- for a realm of a plurality of realms of the DSN, wherein the realm has a group of DSN devices affiliated therewith, has a set of certificate authorities affiliated therewith, and has a unique realm identifier and wherein at least one certificate authority of the set of certificate authorities is a root certificate authority for the realm;
  
  sending, by a dispersed storage managing unit certificate authority of the DSN, registry information to a storage unit of the DSN, wherein the registry information includes at least one of a network certificate and vault information;
  
  sending, by the dispersed storage managing unit certificate authority, a certificate signing request of the storage unit to a certificate authority of the set of certificate authorities;
  
  when the certificate authority is the root certificate authority, generating, by the root certificate authority, a root certificate in response to the certificate signing request, wherein the root certificate includes a signature of the root certificate authority;
  
  when the certificate authority is an intermediate certificate authority for the realm, generating, by the intermediate certificate authority, an intermediate certificate in response to the certificate signing request, wherein the intermediate certificate includes the root certificate and a signature based on the signature of the root certificate authority or signature of another certificate authority of the set of certificate authorities;
  
  generating, by the dispersed storage managing unit certificate authority, a certificate chain from the root certificate or the intermediate certificate; and
  
  sending, by the dispersed storage managing unit certificate authority, the certificate chain to the storage unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprises:
    - when the certificate authority is a second intermediate certificate authority for the realm, generating, by the second intermediate certificate authority, a second intermediate certificate in response to the certificate signing request, wherein the second intermediate certificate includes the intermediate certificate and the root certificate; and
      
      generating, by the dispersed storage managing unit certificate authority, the certificate chain from the root certificate, the intermediate certificate, or the second intermediate certificate.
  - 3. The method of claim 1 further comprises:
    - sending, by the dispersed storage managing unit certificate authority, a second certificate signing request of the storage unit to a second certificate authority of the set of certificate authorities, wherein the second certificate authority is associated with a second realm;
      
      when the second certificate authority is a second root certificate authority, generating, by the second root certificate authority, a second root certificate in response to the second certificate signing request;
      
      when the second certificate authority is a second intermediate certificate authority, generating, by the second intermediate certificate authority, a second intermediate certificate in response to the second certificate signing request, wherein the second intermediate certificate includes the second root certificate; and
      
      generating, by the dispersed storage managing unit certificate authority, a second certificate chain from the second root certificate or the second intermediate certificate.
  - 4. The method of claim 1 further comprises:
    - updating the certificate chain when a new certificate authority is added to the set of certificate authorities by;
      
      when the new certificate authority is a new root certificate authority, generating, by the new root certificate authority, a new root certificate in response to the certificate signing request;
      
      when the new certificate authority is a new intermediate certificate authority for the realm, generating, by the new intermediate certificate authority, a new intermediate certificate in response to the certificate signing request, wherein the new intermediate certificate includes the new root certificate or the root certificate; and
      
      generating, by the dispersed storage managing unit certificate authority, an updated certificate chain from the new intermediate certificate.
  - 5. The method of claim 4 further comprises:
    - updating the certificate chain when the new certificate authority is replacing a phased-out certificate authority of the set of certificate authorities.
  - 6. The method of claim 1 further comprises:
    - providing, by the dispersed storage managing unit certificate authority, the certificate chain to a DSN device of the group of DSN devices for at least one of trusted access to the realm and trusted communication within the realm.
  - 7. The method of claim 1 further comprises:
    - receiving, by the dispersed storage managing unit certificate authority, a DSN access request from a DSN device of the group of DSN devices to access the realm, wherein the DSN access request includes a version of the certificate chain;
      
      determining, by the dispersed storage managing unit certificate authority, whether the version of the certificate chain is valid; and
      
      when the version of the certificate chain is valid, processing, by the dispersed storage managing unit certificate authority, the DSN access request.

8. A non-transitory computer readable storage medium comprises:
- for a realm of a plurality of realms of a dispersed storage network (DSN), wherein the realm has a group of DSN devices affiliated therewith, has a set of certificate authorities affiliated therewith, and has a unique realm identifier and wherein at least one certificate authority of the set of certificate authorities is a root certificate authority for the realm;
  
  a first memory section that stores operational instructions that, when executed by a dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
  
  send registry information to a storage unit of the DSN, wherein the registry information includes at least one of a network certificate and vault information;
  
  send a certificate signing request to Sa certificate authority of the set of certificate authorities;
  
  a second memory section that stores operational instructions that, when executed by the certificate authority, causes the certificate authority to;
  
  when the certificate authority is the root certificate authority, generate a root certificate in response to the certificate signing request, wherein the root certificate includes a signature of the root certificate authority; and
  
  when the certificate authority is an intermediate certificate authority for the realm, generate an intermediate certificate in response to the certificate signing request, wherein the intermediate certificate includes the root certificate and a signature based on the signature of the root certificate authority or signature of another certificate authority of the set of certificate authorities; and
  
  the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
  
  generate a certificate chain from the root certificate or the intermediate certificate; and
  
  send the certificate chain to the storage unit.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage medium of claim 8 further comprises:
    - the second memory section further stores operational instructions that, when executed by the certificate authority, causes the certificate authority to;
      
      when the certificate authority is a second intermediate certificate authority for the realm, generate a second intermediate certificate in response to the certificate signing request, wherein the second intermediate certificate includes intermediate certificate and the root certificate; and
      
      the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      generate the certificate chain from the root certificate, the intermediate certificate, or the second intermediate certificate.
  - 10. The non-transitory computer readable storage medium of claim 8 further comprises:
    - the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      send a second certificate signing request to a second certificate authority of the set of certificate authorities;
      
      a third memory section that stores operational instructions that, when executed by the second certificate authority, causes the second certificate authority to;
      
      when the second certificate authority is a second root certificate authority, generate a second root certificate in response to the second certificate signing request; and
      
      when the second certificate authority is a second intermediate certificate authority for the realm, generate a second intermediate certificate in response to the second certificate signing request, wherein the second intermediate certificate includes the second root certificate; and
      
      the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      generate a second certificate chain from the second root certificate or the second intermediate certificate.
  - 11. The non-transitory computer readable storage medium of claim 8 further comprises:
    - the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      initiate updating the certificate chain when a new certificate authority is added to the set of certificate authorities by sending a new certificate signing request to the new certificate authority;
      
      a third memory section that stores operational instructions that, when executed the new certificate authority, causes the new certificate authority to;
      
      when the new certificate authority is a new root certificate authority, generate a new root certificate in response to the new certificate signing request;
      
      when the new certificate authority is a new intermediate certificate authority for the realm, generate a new intermediate certificate in response to the new certificate signing request,wherein the new intermediate certificate includes the new root certificate or the root certificate; and
      
      the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      generate an updated certificate chain from the new intermediate certificate.
  - 12. The non-transitory computer readable storage medium of claim 11 further comprises:
    - the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      initiate the updating the certificate chain when the new certificate authority is replacing a phased-out certificate authority of the set of certificate authorities.
  - 13. The non-transitory computer readable storage medium of claim 8 further comprises:
    - the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      provide the certificate chain to a DSN device of the group of DSN devices for at least one of trusted access to the realm and trusted communication within the realm.
  - 14. The non-transitory computer readable storage medium of claim 8 further comprises:
    - the first memory section further stores operation instructions that, when executed by the dispersed storage managing unit certificate authority, causes the dispersed storage managing unit certificate authority to;
      
      receive a DSN access request from a DSN device of the group of DSN devices to access the realm, wherein the DSN access request includes a version of the certificate chain;
      
      determine whether the version of the certificate chain is valid; and
      
      when the version of the certificate chain is valid, process the DSN access request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Cilfone, Bart, Resch, Jason K., Leggette, Wesley
Primary Examiner(s)
Wang, Harris C

Application Number

US14/148,118
Publication Number

US 20140181506A1
Time in Patent Office

1,261 Days
Field of Search

713156
US Class Current
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 9/3265 using certificate chains, t...

Processing a dispersed storage network access request utilizing certificate chain validation information

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Processing a dispersed storage network access request utilizing certificate chain validation information

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links